Internet of Things (IoT) refers to the networked interconnection of physical things. IoT has amplified the ubiquity of the Internet by integrating embedded systems into everyday life, leading to a highly-distributed network of devices connecting with human beings as well as other devices. IoT creates the ability for physical objects to remotely interact via the Internet. In recent years, IoT has gained much attention around the world. The connection of physical objects to the Internet makes it possible to remotely access sensor data and to control the physical world from a distance. IoT devices utilize a number of communication protocols to provide connectivity among devices. BLUETOOTH technology has emerged as a preferred communication protocol for many IoT applications, including home and automobile.
Mobile devices, such as smartphones, typically feature built-in BLUETOOTH modules that allow users to “pair” with other BLUETOOTH devices. Paired BLUETOOTH devices communicate over an unlicensed, globally available short-range frequency band of 2.4 GHz. BLUETOOTH technology can link devices in close proximity (e.g., a few inches) to over 100 meters at speeds that vary depending on the BLUETOOTH device class and BLUETOOTH version.
Although Bluetooth facilitates effortless connections to vast amounts of information, users are not aware that the technology is vulnerable to a wide variety of security threats such as denial of service (“DoS”) attacks, eavesdropping, man-in-the-middle attacks, message modification, and resource misappropriation. BLUETOOTH popularity has given rise to a series of security risks known as bluejacking, bluebugging, and bluesnarfing. In bluejacking, a nefarious person discovers and anonymously sends a business card to another BLUETOOTH device. Bluebugging is more serious, which allows another BLUETOOTH user connectivity to issue commands on a remote mobile phone, such as to make calls, send SMS text messages, or even eavesdrop on conversations. Bluesnarfing allows a BLUETOOTH user connectivity to other devices within range in order to gain access to other user's contacts, address books, calendar, and more. As users store more personal information on BLUETOOTH-enabled devices, the need to address potential security and privacy threats becomes more pressing.
Every technology has its weaknesses. With the proliferation of IoT devices, security continues to be an afterthought to the desirability of devices that are constantly connected. The age of connectedness using mobile phones increases certain risks using BLUETOOTH and smart phones. Most of the existing threats come from the ignorance of users and improper security implementation by some manufacturers. There are weaknesses in the current BLUETOOTH standards, particularly for implementations with connected cars. Most security threats, however, are due to improper implementation by manufacturers.
Actual attack artifacts, for example, malware, SMS or network-based attacks, tend to become unique. This is problematic for security tools, which sometimes use the observation of the same suspicious artifact in multiple locations as an indication of maliciousness, and for security companies, which may prioritize the investigation of novel attacks and artifacts based on their prevalence. These same security tools used to detect maliciousness can be used by hackers intentionally to cause harm to the unsuspecting user.
A widely-known security tool such as Infotainment and Vehicle System Forensics (“iVe”) can be used against vehicles that leave embedded BLUETOOTH personal information. iVe is a vehicle system forensic tool that acquires user data from vehicles, and allows forensic examiners and investigators to analyze the user data. Vehicle infotainment systems store a vast amount of the user-related data, including, for example, recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, and the navigation history of the vehicle. iVe directly interfaces with vehicle systems via specially-designed hardware to acquire a full or partial binary image and decode the data. It also has the capability to recover deleted information from either image types. iVe can decode and parse data such as vehicle information, device information, navigation data, and vehicle events. There are a vast number of available security forensic tools ranging from standalone packages to complex integrated tools. These very tools, although initially developed for criminal investigations, are also used by hackers to commit crimes.
Most of the security problems related to computers are also valid for IoT smart phones and connected cars. As phones and other IoT devices have been equipped with more functions, more security issues arise. Most users do not recognize the serious consequences of leaving their BLUETOOTH device or contact lists synced in publicly accessible vehicles.